Computer Engineering and Applications ›› 2019, Vol. 55 ›› Issue (3): 83-89.DOI: 10.3778/j.issn.1002-8331.1711-0246

Previous Articles     Next Articles

Effective Network Feature Filtering Algorithm for APT Samples

LI Yihong, DU Zhenyu, HU Jinsong   

  1. Department of Network, Electronic Countermeasure Institute,National University of Defense Technology, Hefei 230037, China
  • Online:2019-02-01 Published:2019-01-24

APT样本的有效网络特征筛选算法

李翼宏,杜镇宇,胡劲松   

  1. 国防科技大学 电子对抗学院 网络系,合肥 230037

Abstract: By studying the defense scheme of APT attacks, this paper proposes an effective network feature filtering algorithm based on [k]-means++ clustering to deal with the problem of high dimensionality of network features which extracted from APT samples. Firstly, this algorithm divides the original feature set into APT traffic feature set and normal traffic feature set by the clustering method. Then, it calculates the degree of variation of clustering performance after removing a certain dimension feature. Finally, the degree of discrimination of the feature vector is evaluated according to the result. Among them, the effective feature vector is whose discrimination degree exceeds the set threshold. The purpose of this paper is to filter out the effective features from the extracted original feature sets. In this way, it can reduce the dimensionality of the features so as to reduce the space-time overhead of subsequent threat intelligence formation and detection. The experimental results show that the proposed algorithm is feasible and has some advantages over other filtering algorithms.

Key words: APT attack, network features, dimension reduction, [k]-means ++, discrimination

摘要: 在研究APT攻击的防御方案过程中,针对提取APT样本网络特征的维数过高问题,提出一种基于[k]-means++聚类的APT样本有效网络特征筛选算法。该算法的思路是首先基于聚类的思想将提取的原特征集划分成APT流量特征集与背景流量特征集,然后计算去掉某一维特征向量后聚类性能的变化程度,最后根据该结果评价该特征向量的区分度。其中,有效特征向量即为区分度超过设定阈值的特征向量。目的就是从提取的原特征集中筛选出有效特征,达成对特征的降维,从而降低后续威胁情报形成和部署检测工作的时空开销。实验结果表明,该算法具有一定可行性,针对此问题相比于其他筛选算法具有一定的优势。

关键词: APT攻击, 网络特征, 降维, [k]-means++, 区分度